Analysis Overview
SHA256
296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0
Threat Level: Known bad
The file 296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0 was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Checks computer location settings
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-08 01:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-08 01:22
Reported
2024-04-08 01:24
Platform
win7-20240221-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
AgentTesla
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 332 set thread context of 2552 | N/A | C:\Users\Admin\AppData\Local\Temp\296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe
"C:\Users\Admin\AppData\Local\Temp\296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xanAlavQkh.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xanAlavQkh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp42AB.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
Files
memory/332-1-0x0000000074BD0000-0x00000000752BE000-memory.dmp
memory/332-0-0x00000000013A0000-0x0000000001456000-memory.dmp
memory/332-2-0x0000000004F00000-0x0000000004F40000-memory.dmp
memory/332-3-0x00000000005C0000-0x00000000005D4000-memory.dmp
memory/332-4-0x0000000000950000-0x000000000095A000-memory.dmp
memory/332-5-0x00000000009E0000-0x00000000009EE000-memory.dmp
memory/332-6-0x0000000004D30000-0x0000000004DB2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T85N9T3HMT28BFR32ECY.temp
| MD5 | 5401e34e2f106df664f63a69757aaf54 |
| SHA1 | 516128f8d030ea88d0472a31b1ad44686c427062 |
| SHA256 | 911416b0538cbfd57690dc576dbb7e7b11f38628f5324cad064695d2e28e198e |
| SHA512 | a3d3f426722636300f2f60c69c166f79e4b1e535fe5dd6d844a87be145028162ac080cf70254a04a51edbc165d0783bc8091737a341d0669e7dc5e40ad6d8923 |
C:\Users\Admin\AppData\Local\Temp\tmp42AB.tmp
| MD5 | d41e495227d0ceb99a48968f76fd551f |
| SHA1 | a3a5fb67f3b4285679ccb0022d18b137012d3bdd |
| SHA256 | 8d745d6a3e3072aad578b2f4314b048da4757d1e971a3ff96a81a934b3d64f42 |
| SHA512 | cf727d2fbef90c49662de7ef3dedb740a49773dd775ce232bbf8541669eb84683106228e900e8dd2cb1e144380be6380ffb49cf053c1715e62b3dd5ff398766a |
memory/2580-19-0x000000006FAB0000-0x000000007005B000-memory.dmp
memory/2824-20-0x000000006FAB0000-0x000000007005B000-memory.dmp
memory/2824-21-0x0000000002B50000-0x0000000002B90000-memory.dmp
memory/2580-23-0x000000006FAB0000-0x000000007005B000-memory.dmp
memory/2824-25-0x000000006FAB0000-0x000000007005B000-memory.dmp
memory/2580-27-0x0000000002BA0000-0x0000000002BE0000-memory.dmp
memory/2552-26-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2580-29-0x0000000002BA0000-0x0000000002BE0000-memory.dmp
memory/2552-30-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2552-31-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2552-34-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2552-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2552-36-0x0000000000400000-0x0000000000440000-memory.dmp
memory/332-38-0x0000000074BD0000-0x00000000752BE000-memory.dmp
memory/2552-39-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2552-40-0x0000000074BD0000-0x00000000752BE000-memory.dmp
memory/2824-42-0x000000006FAB0000-0x000000007005B000-memory.dmp
memory/2580-41-0x000000006FAB0000-0x000000007005B000-memory.dmp
memory/2552-43-0x0000000074BD0000-0x00000000752BE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-08 01:22
Reported
2024-04-08 01:24
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
AgentTesla
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2380 set thread context of 4424 | N/A | C:\Users\Admin\AppData\Local\Temp\296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe
"C:\Users\Admin\AppData\Local\Temp\296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xanAlavQkh.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xanAlavQkh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6F73.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
memory/2380-1-0x0000000074FC0000-0x0000000075770000-memory.dmp
memory/2380-0-0x0000000000350000-0x0000000000406000-memory.dmp
memory/2380-2-0x00000000054D0000-0x0000000005A74000-memory.dmp
memory/2380-3-0x0000000004DE0000-0x0000000004E72000-memory.dmp
memory/2380-4-0x0000000005090000-0x00000000050A0000-memory.dmp
memory/2380-5-0x0000000004EA0000-0x0000000004EAA000-memory.dmp
memory/2380-6-0x0000000005070000-0x0000000005084000-memory.dmp
memory/2380-7-0x0000000005210000-0x000000000521A000-memory.dmp
memory/2380-8-0x0000000005220000-0x000000000522E000-memory.dmp
memory/2380-9-0x0000000006100000-0x0000000006182000-memory.dmp
memory/2380-10-0x0000000008840000-0x00000000088DC000-memory.dmp
memory/2696-15-0x0000000004D70000-0x0000000004DA6000-memory.dmp
memory/2696-16-0x0000000074FC0000-0x0000000075770000-memory.dmp
memory/3940-18-0x0000000004C20000-0x0000000004C30000-memory.dmp
memory/2696-17-0x0000000004D60000-0x0000000004D70000-memory.dmp
memory/2696-19-0x00000000053E0000-0x0000000005A08000-memory.dmp
memory/3940-20-0x0000000004C20000-0x0000000004C30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp6F73.tmp
| MD5 | fd76ed92e33d068be5b4f32dbfceaeb1 |
| SHA1 | a62318bfcd966d30f83c41f95b0831116f25862f |
| SHA256 | f9d749a1ea7822f30cff470dfeefa4579f065ef263e4f49a6a985a61e8311996 |
| SHA512 | 1feff4a4235ba4c1ceeedd7392e3de7e15bce51fe81293dd6d2d42e7ec74dbfb5712cd20d59433175bc778b3c6dcd8921c60c3b1692bb384357dadeb0217fd83 |
memory/2696-21-0x0000000004D60000-0x0000000004D70000-memory.dmp
memory/3940-23-0x0000000074FC0000-0x0000000075770000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4bjscaox.mor.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4424-40-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3940-35-0x0000000005A00000-0x0000000005A66000-memory.dmp
memory/3940-24-0x0000000005230000-0x0000000005252000-memory.dmp
memory/2696-42-0x0000000005DE0000-0x0000000005E46000-memory.dmp
memory/4424-43-0x0000000074FC0000-0x0000000075770000-memory.dmp
memory/2696-44-0x0000000005E50000-0x00000000061A4000-memory.dmp
memory/2380-49-0x0000000074FC0000-0x0000000075770000-memory.dmp
memory/4424-50-0x0000000004E40000-0x0000000004E50000-memory.dmp
memory/3940-51-0x00000000060F0000-0x000000000610E000-memory.dmp
memory/2696-52-0x00000000063A0000-0x00000000063EC000-memory.dmp
memory/3940-53-0x0000000007070000-0x00000000070A2000-memory.dmp
memory/3940-55-0x0000000075820000-0x000000007586C000-memory.dmp
memory/3940-67-0x0000000007050000-0x000000000706E000-memory.dmp
memory/2696-57-0x000000007F960000-0x000000007F970000-memory.dmp
memory/3940-54-0x000000007F260000-0x000000007F270000-memory.dmp
memory/2696-56-0x0000000075820000-0x000000007586C000-memory.dmp
memory/3940-78-0x00000000072C0000-0x0000000007363000-memory.dmp
memory/3940-79-0x0000000004C20000-0x0000000004C30000-memory.dmp
memory/2696-76-0x0000000004D60000-0x0000000004D70000-memory.dmp
memory/2696-80-0x0000000007C60000-0x00000000082DA000-memory.dmp
memory/3940-81-0x0000000007420000-0x000000000743A000-memory.dmp
memory/3940-82-0x0000000007490000-0x000000000749A000-memory.dmp
memory/2696-83-0x00000000078A0000-0x0000000007936000-memory.dmp
memory/3940-84-0x0000000007620000-0x0000000007631000-memory.dmp
memory/2696-85-0x0000000007850000-0x000000000785E000-memory.dmp
memory/3940-86-0x0000000007660000-0x0000000007674000-memory.dmp
memory/3940-87-0x0000000007760000-0x000000000777A000-memory.dmp
memory/3940-88-0x0000000007740000-0x0000000007748000-memory.dmp
memory/2696-91-0x0000000074FC0000-0x0000000075770000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 40ba1f75d244245ee1d71aa98dd9677a |
| SHA1 | afd440b0705aa29eb49fa16988682de0726eabff |
| SHA256 | 95db9c977880e5970a522fd98ddb125efbbeef31e5bd7923040a34dc34e636d2 |
| SHA512 | 501c68c82ae836fbfab1c7a6d90dcba2d42c432be1f42933566ccef51be25ba50b0d7b52ee394463cd586ba79423b722f18206890522d776db09b4a8bc8d0e11 |
memory/3940-95-0x0000000074FC0000-0x0000000075770000-memory.dmp
memory/4424-96-0x00000000063F0000-0x0000000006440000-memory.dmp
memory/4424-97-0x0000000074FC0000-0x0000000075770000-memory.dmp
memory/4424-98-0x0000000004E40000-0x0000000004E50000-memory.dmp